@checkstack/secrets-backend 0.1.0

package/CHANGELOG.md

@@ -0,0 +1,148 @@
+# @checkstack/secrets-backend
+
+## 0.1.0
+
+### Minor Changes
+
+- 270ef29: Fix suspend/resume durability + complete the run-wide secret-masking guarantee.
+
+  A panel review confirmed several defects in the automation dispatch engine's suspend/resume durability and in the run-wide masking choke point. These survived because the unit suite stubbed the seam under test; the fixes ship with tests that exercise the real suspend / sweep / resume paths.
+
+  Suspend/resume durability:
+
+  - **Stalled sweeper no longer re-runs intentional waits.** `findStalledRunIds` now joins `automation_runs` and returns only `status = 'running'` runs, and suspend-finalisation no longer clobbers the run's `lastActionPath` checkpoint to `null`. Previously any wait longer than the stale window (>60s) was re-walked from the top every sweep cycle, re-firing pre-wait side effects and leaking wait locks. The wait-aware sweeps now also run before the stalled-run sweep.
+  - **Stalled recovery refuses a run holding a live wait lock.** `recoverStalledRun` now only recovers a genuinely-`running` run with no wait lock; a crash-mid-wait recovery is left to the wait/resume paths instead of re-walking from the top and creating a duplicate lock + duplicate delay job.
+  - **Cancelled runs can no longer resurrect.** `resumeRun` guards on `status === 'waiting'` (mirroring `checkWaitUntil`) and drops any stale lock for a non-waiting run, so `wakeWaitingRuns` / delay-expiry / a racing queue job can't wake a cancelled or terminal run. `cancelActiveRuns` (restart mode) now deletes the cancelled runs' wait locks + run-state in the same operation.
+  - **Concurrency check-then-create is serialized.** The `mode` check + `createRun` now run under a transaction-scoped advisory lock keyed on `(automationId, scope)`, so two concurrent fires can't both pass a `single`-mode "no active run" check and double-run.
+
+  Masking guarantee (now genuinely covers scope + artifacts):
+
+  - **The run-wide masking choke point now also masks the durable scope snapshot and produced artifacts.** The `RunSecretRegistry` is threaded into `RunStateStore.upsert` (masks `scopeSnapshot`) and `ArtifactStore.record` (masks `data`) so a resolved connection credential threaded into `scope.variables` or surfaced into an artifact is redacted before persist - and therefore cannot reach a read-only user via `getRunScopeForReplay`. **GUARANTEE CHANGE**: run-wide masking now covers step output, run error, scope snapshot, and artifact data for every action.
+  - **`testConnection` / `testProviderConnection` mask provider errors.** These RPCs run outside a dispatch run, so they build a per-call mask set from the resolved/submitted connection config and run any provider error through it before returning, so a provider error echoing a token can't cross back to the browser.
+  - **Short secrets surface a warning.** `setSecret` now warns when a value is shorter than `MIN_MASKABLE_LENGTH` (4) that it cannot be auto-redacted (the threshold is intentionally not lowered).
+
+  Internal:
+
+  - `@checkstack/backend-api`: `withXactLock`'s `fn` now receives the transaction handle `tx` so a critical section can run on the locked connection; the doc clarifies why running on the pool inside the lock window is still safe. The incident dedup caller's comment is corrected accordingly. `RunStore` gains `findWaitLocksByRun`.
+
+- 270ef29: Add the Secrets platform (Phase 1): a central, plugin-agnostic secret manager with a pluggable backend extension point, a cross-plugin resolver service, and a universal Jenkins-style masking layer.
+
+  - New packages: `secrets-common` (schemas, contract, `secrets.read`/`secrets.manage`, masking utils), `secrets-backend` (`SecretBackend` extension point, `secretResolverRef`/`secretAdminRef` services, run-scoped masking context, RPC router), `secrets-backend-local` (default AES-256-GCM backend, owns the `secrets` table promoted from gitops), `secrets-frontend` (admin Settings page).
+  - Resolution machinery (`resolveSecretsBySchema`, `SecretStore`, `${{ secrets.NAME }}` / `x-secret`) is promoted out of `gitops-backend` into `secrets-backend`. GitOps now resolves and manages secrets through the platform's service refs (single source of truth); its secret table is migrated without loss.
+  - Universal masking seam wired at the central script-output boundaries: automation `run_script` / `run_shell` artifacts and the in-UI test panel redact run-scoped secret values from `result`/`stdout`/`stderr`/`error` before persist/return. Phase 1 resolves no run-scoped secrets yet, so masking is a no-op until Phase 2; the seam guarantees the boundary exists.
+  - No endpoint returns a secret value to a browser: DTOs expose only name/metadata/`hasValue`.
+
+  BREAKING CHANGES: `gitops-backend` now depends on `secrets-backend` and resolves/manages secrets through it. The `secrets` table is owned by `secrets-backend-local`; the gitops `secrets` table is retained as a migration source but is no longer the source of truth.
+
+- 270ef29: Secrets platform Phase 4: HashiCorp Vault backend + backend selection.
+
+  - New `@checkstack/secrets-backend-vault`: a read-through `SecretBackend`
+    against Vault. Token, AppRole, and OIDC/JWT auth (session cached to the
+    lease TTL, capped); KV v2 reads mapped via the backend's own
+    `secret_index` table (name → path/key); read-through value cache with a
+    capped TTL (rotated values re-read). `list()` returns metadata only,
+    never values. Minimal typed HTTP client (no extra dependency), injectable
+    fetch for testing.
+  - Backend selection: the active backend is persisted via `ConfigService`
+    and switchable in Settings → Secrets; switching re-routes resolution.
+    New `setBackendConfig` / `testBackend` RPCs (manage-gated, status-only)
+    and `getBackendConfig` now returns Vault connection metadata
+    (`hasCredential`, never the credential). `SecretBackend` gains optional
+    `test` / `configure` / `getConfigMeta`.
+  - The Vault auth credential is stored as an `x-secret` config field
+    (encrypted at rest with the AES-GCM master key, redacted on read) —
+    bootstrapping it WITHOUT putting it in Vault. It is write-only over the
+    API and never logged.
+  - Admin UI: backend selector + Vault connection form + "Test connection".
+
+  Satellite-direct-Vault (a satellite reading Vault itself) is deferred to a
+  follow-up; core-mediated delivery already routes through the Vault backend.
+
+- 270ef29: Secrets platform Phase 5: internal-secret consolidation (registry token) + connection-credential leak hardening.
+
+  - New `internalSecretsRef`: platform-internal secrets (not user-managed
+    named secrets) stored under a reserved `__internal__:` prefix, ALWAYS on
+    the local (always-writable, AES-GCM) backend so internal writes never
+    break when Vault is the active backend. Excluded from the user-facing
+    Secrets list.
+  - The script-package registry auth token is consolidated onto
+    `internalSecretsRef`. The `authSecretRef` column now holds a stable
+    marker; a one-time, idempotent, parity-verified migration moves legacy
+    inline ciphertext into the platform and only rewrites the column once the
+    platform copy reads back identically (legacy value never dropped early).
+    Resolution stays backward-compatible with legacy ciphertext.
+  - Integration: `createConnection` / `updateConnection` now return the
+    redacted connection preview instead of echoing the submitted credential
+    fields back in the response (leak hardening). Non-breaking — the frontend
+    refetches the redacted list and ignores the returned preview.
+
+  NOTE: integration connection-credential STORAGE is intentionally NOT
+  migrated onto the secrets platform. Connection creds are co-mingled
+  secret/non-secret config stored per-provider via `ConfigService` (which
+  already uses the same AES-GCM crypto + per-field redaction); splitting them
+  out would require per-provider schema-walking and a lossy migration across
+  live integrations for no real gain. The `ConnectionStore` API + storage are
+  unchanged.
+
+- 270ef29: Secrets platform Phase 5b: route integration connection credentials through the ONE secrets channel.
+
+  Connection credentials now resolve through the same secrets channel as
+  everything else, so a credential can originate from Vault and there is no
+  parallel credential-resolution code to drift. Two entry forms, both walked
+  by the shared `walkSecretFields` machinery (acting only on the provider
+  `connectionSchema`'s `x-secret` fields):
+
+  - Reference form: a `${{ secrets.NAME }}` template resolves through the
+    ACTIVE backend (local or Vault) via `secretResolverRef`.
+  - Inline form: an operator-typed value is extracted into an internal
+    secret on the local backend; the stored config keeps only a reference
+    marker, resolved via `internalSecretsRef`.
+
+  The `ConnectionStore` public API is unchanged: `listConnections` /
+  `getConnection` stay redacted; `getConnectionWithCredentials` inflates via
+  the unified channel. A one-time, idempotent, parity-verified, REVERSIBLE
+  migration (backup ConfigService entry per connection; rewrites only after
+  the platform copy reads back identically) moves existing inline
+  credentials onto the platform without breaking live connections.
+
+  `secrets-backend` exports `walkSecretFields` (the shared schema-walk behind
+  `resolveSecretsBySchema`, reused for the migration extract + inflate).
+
+  BREAKING CHANGES: a connection's stored credential fields may now hold a
+  `${{ secrets.NAME }}` reference or an internal-reference marker instead of
+  an inline value. Resolution is transparent (`getConnectionWithCredentials`
+  returns the same plaintext); a legacy inline value still resolves until the
+  one-time migration converts it.
+
+- b995afb: Hide secret write controls when the active backend is read-through.
+
+  When a read-through backend (e.g. Vault) was active, the Secrets admin page still showed the "Add a secret", Rotate, and Delete controls even though the backend correctly rejects writes (`set` / `delete` are intentionally unimplemented), so every attempt errored.
+
+  The active backend now reports a capability flag and the UI gates its write affordances on it instead of any hardcoded backend id, so other read-through backends are handled the same way.
+
+  Changes:
+
+  - `@checkstack/secrets-common`: add a `writable: boolean` field to `BackendConfigDto` (returned by `getBackendConfig`). It carries no sensitive data - a capability boolean only.
+  - `@checkstack/secrets-backend`: populate `writable` in the `getBackendConfig` handler by inspecting the resolved active backend (true only when it implements both `set` and `delete`; `false` for read-through backends or an unresolved active id). Exposes a small `isBackendWritable` helper.
+  - `@checkstack/secrets-frontend`: hide the create form, per-row Rotate / Delete buttons, and adjust the empty-state and helper text when the active backend is not writable, plus show a short "read-through" explainer. The local backend stays fully writable.
+
+  State & scale: `writable` is derived on read from the resolved active backend's capabilities (durable config selects the backend), so every pod computes the same answer; no new state is introduced.
+
+### Patch Changes
+
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [b995afb]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [b995afb]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [b995afb]
+  - @checkstack/backend-api@0.19.0
+  - @checkstack/secrets-common@0.1.0

package/package.json

@@ -0,0 +1,48 @@
+{
+  "name": "@checkstack/secrets-backend",
+  "version": "0.1.0",
+  "description": "Secrets platform backend: resolver service, masking, backend extension point, RPC router",
+  "author": "Checkstack contributors",
+  "license": "Elastic-2.0",
+  "type": "module",
+  "main": "src/index.ts",
+  "exports": {
+    ".": {
+      "import": "./src/index.ts"
+    }
+  },
+  "checkstack": {
+    "type": "backend",
+    "pluginId": "secrets"
+  },
+  "scripts": {
+    "dev": "checkstack-dev",
+    "pack": "bunx @checkstack/scripts plugin-pack",
+    "typecheck": "tsgo -b",
+    "generate": "drizzle-kit generate",
+    "lint": "bun run lint:code",
+    "lint:code": "eslint . --max-warnings 0",
+    "test": "bun test"
+  },
+  "dependencies": {
+    "@checkstack/backend-api": "0.18.0",
+    "@checkstack/common": "0.12.0",
+    "@checkstack/secrets-common": "0.0.1",
+    "@orpc/server": "^1.13.2",
+    "drizzle-orm": "^0.45.0",
+    "uuid": "^14.0.0",
+    "zod": "^4.2.1"
+  },
+  "devDependencies": {
+    "@checkstack/scripts": "0.3.4",
+    "@checkstack/dev-server": "2.0.0",
+    "@checkstack/backend": "0.11.0",
+    "@checkstack/tsconfig": "0.0.7",
+    "@checkstack/drizzle-helper": "0.0.5",
+    "@checkstack/test-utils-backend": "0.1.31",
+    "@types/bun": "^1.3.5",
+    "@types/node": "^20.0.0",
+    "drizzle-kit": "^0.31.10",
+    "typescript": "^5.7.2"
+  }
+}

package/src/active-backend.test.ts

@@ -0,0 +1,46 @@
+import { describe, it, expect } from "bun:test";
+import { createSecretBackendRegistry } from "./secret-backend-registry";
+import { createActiveBackendStore } from "./active-backend";
+import type { SecretBackend } from "./secret-backend";
+
+function fakeBackend(id: string, values: Record<string, string>): SecretBackend {
+  return {
+    id,
+    get: async ({ name }) => values[name],
+    list: async () => [],
+  };
+}
+
+describe("createActiveBackendStore", () => {
+  it("resolves through whichever backend is active, and re-routes on switch", async () => {
+    const registry = createSecretBackendRegistry();
+    registry.register(fakeBackend("local", { db_pass: "local-value" }));
+    registry.register(fakeBackend("vault", { db_pass: "vault-value" }));
+
+    let active = "local";
+    const store = createActiveBackendStore({
+      backends: registry,
+      getActiveBackendId: async () => active,
+    });
+
+    expect(await store.resolve("db_pass")).toBe("local-value");
+
+    // Switch the active backend to vault — resolution re-routes with no
+    // other change (the Phase-4 acceptance: active_backend=vault routes
+    // resolution through Vault).
+    active = "vault";
+    expect(await store.resolve("db_pass")).toBe("vault-value");
+  });
+
+  it("throws a clear error when the active backend lacks the secret", async () => {
+    const registry = createSecretBackendRegistry();
+    registry.register(fakeBackend("vault", {}));
+    const store = createActiveBackendStore({
+      backends: registry,
+      getActiveBackendId: async () => "vault",
+    });
+    await expect(store.resolve("absent")).rejects.toThrow(
+      "Secret not found: absent",
+    );
+  });
+});

package/src/active-backend.ts

@@ -0,0 +1,28 @@
+import type { SecretBackendRegistry } from "./secret-backend-registry";
+import type { SecretStore } from "./secret-resolver";
+
+/**
+ * Build a {@link SecretStore} that resolves each name through whichever
+ * backend is currently active. Routing is dynamic: switching the active
+ * backend (e.g. local → vault) immediately changes where values resolve
+ * from, with no other plumbing change. Throws on a missing secret so a
+ * required reference fails clearly.
+ */
+export function createActiveBackendStore({
+  backends,
+  getActiveBackendId,
+}: {
+  backends: SecretBackendRegistry;
+  getActiveBackendId: () => Promise<string>;
+}): SecretStore {
+  return {
+    resolve: async (name: string): Promise<string> => {
+      const backend = backends.get(await getActiveBackendId());
+      const value = await backend.get({ name });
+      if (value === undefined) {
+        throw new Error(`Secret not found: ${name}`);
+      }
+      return value;
+    },
+  };
+}

package/src/admin-service.test.ts

@@ -0,0 +1,77 @@
+import { describe, it, expect, mock } from "bun:test";
+import { MIN_MASKABLE_LENGTH } from "@checkstack/secrets-common";
+import type { Logger } from "@checkstack/backend-api";
+import { createSecretAdminService } from "./admin-service";
+import type { SecretBackend } from "./secret-backend";
+
+function fakeBackend(): SecretBackend {
+  const store: Record<string, string> = {};
+  const backend: SecretBackend = {
+    id: "local",
+    get: async ({ name }: { name: string }) => store[name],
+    set: async ({ name, value }: { name: string; value: string }) => {
+      store[name] = value;
+    },
+    delete: async ({ name }: { name: string }) => {
+      delete store[name];
+    },
+    list: async () =>
+      Object.keys(store).map((name) => ({
+        id: name,
+        name,
+        description: null,
+        hasValue: true,
+        backend: "local",
+        createdBy: null,
+        createdAt: new Date(),
+        updatedAt: new Date(),
+      })),
+  };
+  return backend;
+}
+
+function makeService(logger?: Logger) {
+  const backend = fakeBackend();
+  return createSecretAdminService({
+    getActiveBackend: async () => backend,
+    onChanged: async () => {},
+    logger,
+  });
+}
+
+describe("L1 — setSecret warns on values too short to auto-redact", () => {
+  it("warns when a value is shorter than MIN_MASKABLE_LENGTH", async () => {
+    const warn = mock();
+    const logger = { warn, info: mock(), error: mock(), debug: mock() };
+    const admin = makeService(logger as unknown as Logger);
+
+    const short = "a".repeat(MIN_MASKABLE_LENGTH - 1);
+    await admin.setSecret({ name: "API_PIN", value: short });
+
+    expect(warn).toHaveBeenCalledTimes(1);
+    const message = String(warn.mock.calls[0]?.[0] ?? "");
+    expect(message).toContain("API_PIN");
+    expect(message).toContain("cannot be auto-redacted");
+    // Never echo the value itself.
+    expect(message).not.toContain(short);
+  });
+
+  it("does NOT warn for a value at or above the threshold", async () => {
+    const warn = mock();
+    const logger = { warn, info: mock(), error: mock(), debug: mock() };
+    const admin = makeService(logger as unknown as Logger);
+
+    await admin.setSecret({
+      name: "API_TOKEN",
+      value: "x".repeat(MIN_MASKABLE_LENGTH),
+    });
+
+    expect(warn).not.toHaveBeenCalled();
+  });
+
+  it("still stores the secret despite the warning (threshold is not changed)", async () => {
+    const admin = makeService();
+    const result = await admin.setSecret({ name: "PIN", value: "ab" });
+    expect(result.created).toBe(true);
+  });
+});

package/src/admin-service.ts

@@ -0,0 +1,91 @@
+import {
+  isInternalSecretName,
+  MIN_MASKABLE_LENGTH,
+  type SecretMetadata,
+} from "@checkstack/secrets-common";
+import type { Logger } from "@checkstack/backend-api";
+import type { SecretBackend } from "./secret-backend";
+
+/**
+ * Cross-plugin secret administration service (exposed via
+ * `secretAdminRef`). Lets a consumer plugin manage secrets through the
+ * active backend so there is a SINGLE source of truth — e.g. gitops
+ * delegates its legacy secret-management RPCs here instead of writing its
+ * own table.
+ *
+ * `list` returns metadata only (never values). `setSecret` is write-only.
+ * No method returns a value.
+ */
+export interface SecretAdminService {
+  list(): Promise<SecretMetadata[]>;
+  setSecret(input: {
+    name: string;
+    value: string;
+    description?: string;
+    createdBy?: string;
+  }): Promise<{ created: boolean }>;
+  deleteSecret(input: { name: string }): Promise<void>;
+}
+
+export function createSecretAdminService({
+  getActiveBackend,
+  onChanged,
+  logger,
+}: {
+  getActiveBackend: () => Promise<SecretBackend>;
+  onChanged: (input: {
+    name: string;
+    change: "created" | "rotated" | "deleted";
+  }) => Promise<void>;
+  /**
+   * Optional logger so `setSecret` can warn when a value is too short to be
+   * auto-redacted (see L1 below). Optional so existing call sites / tests
+   * that don't pass one degrade silently.
+   */
+  logger?: Logger;
+}): SecretAdminService {
+  return {
+    async list() {
+      const backend = await getActiveBackend();
+      const all = await backend.list();
+      // Hide platform-internal secrets (registry token, connection creds)
+      // from the user-facing list — they aren't user-managed named secrets.
+      return all.filter((m) => !isInternalSecretName(m.name));
+    },
+
+    async setSecret({ name, value, description, createdBy }) {
+      const backend = await getActiveBackend();
+      if (!backend.set) {
+        throw new Error(
+          `Backend "${backend.id}" is read-only; manage secrets in the external store.`,
+        );
+      }
+      // Values below MIN_MASKABLE_LENGTH can't be auto-redacted by the
+      // by-value masker (they'd over-mask coincidental substrings of normal
+      // output). Don't silently change the threshold — warn so the operator
+      // knows this secret won't be scrubbed from run logs / errors if it
+      // ever surfaces. (Length only; never echo the value.)
+      if (value.length < MIN_MASKABLE_LENGTH) {
+        logger?.warn(
+          `Secret "${name}" is ${value.length} character(s) long; values shorter than ${MIN_MASKABLE_LENGTH} cannot be auto-redacted from logs or error output. Consider a longer value.`,
+        );
+      }
+      const existing = await backend.list();
+      const created = !existing.some((m) => m.name === name);
+      await backend.set({ name, value, description, createdBy });
+      await onChanged({ name, change: created ? "created" : "rotated" });
+      return { created };
+    },
+
+    async deleteSecret({ name }) {
+      const backend = await getActiveBackend();
+      if (!backend.delete) {
+        throw new Error(
+          `Backend "${backend.id}" is read-only; manage secrets in the external store.`,
+        );
+      }
+      await backend.delete({ name });
+      await onChanged({ name, change: "deleted" });
+    },
+  };
+}

package/src/backend-config-store.ts

@@ -0,0 +1,76 @@
+import { z } from "zod";
+import { configString, type ConfigService } from "@checkstack/backend-api";
+import { vaultAuthMethodSchema } from "@checkstack/secrets-common";
+
+/**
+ * Persisted backend configuration, stored via the platform `ConfigService`
+ * (a single config row keyed by {@link BACKEND_CONFIG_ID}). The Vault auth
+ * `credential` is marked `x-secret`, so ConfigService encrypts it at rest
+ * with the AES-GCM master key (env-provided) and `getRedacted` strips it —
+ * this is how we bootstrap the Vault auth secret WITHOUT putting it in
+ * Vault (the chicken/egg in the plan). The credential is never returned to
+ * a browser and never logged.
+ */
+export const BACKEND_CONFIG_ID = "backend-config";
+export const BACKEND_CONFIG_VERSION = 1;
+
+/**
+ * Schema for ConfigService storage. Uses `configString({ "x-secret": true })`
+ * for the credential so it is encrypted at rest + redacted on safe reads.
+ */
+export const storedBackendConfigSchema = z.object({
+  activeBackend: z.string().default("local"),
+  vault: z
+    .object({
+      address: z.string(),
+      mount: z.string().default("secret"),
+      authMethod: vaultAuthMethodSchema,
+      role: z.string().optional(),
+      authMount: z.string().optional(),
+      namespace: z.string().optional(),
+      /** Encrypted at rest; stripped by getRedacted. */
+      credential: configString({ "x-secret": true }).optional(),
+    })
+    .optional(),
+});
+
+export type StoredBackendConfig = z.infer<typeof storedBackendConfigSchema>;
+
+/**
+ * Thin store over ConfigService for the backend config. `load` decrypts the
+ * credential (service-only, for resolving against Vault); `loadRedacted`
+ * omits it (safe for the frontend DTO).
+ */
+export interface BackendConfigStore {
+  load(): Promise<StoredBackendConfig | undefined>;
+  loadRedacted(): Promise<Partial<StoredBackendConfig> | undefined>;
+  save(config: StoredBackendConfig): Promise<void>;
+}
+
+export function createBackendConfigStore({
+  config,
+}: {
+  config: ConfigService;
+}): BackendConfigStore {
+  return {
+    load: () =>
+      config.get(
+        BACKEND_CONFIG_ID,
+        storedBackendConfigSchema,
+        BACKEND_CONFIG_VERSION,
+      ),
+    loadRedacted: () =>
+      config.getRedacted(
+        BACKEND_CONFIG_ID,
+        storedBackendConfigSchema,
+        BACKEND_CONFIG_VERSION,
+      ),
+    save: (data) =>
+      config.set(
+        BACKEND_CONFIG_ID,
+        storedBackendConfigSchema,
+        BACKEND_CONFIG_VERSION,
+        data,
+      ),
+  };
+}

package/src/hooks.ts

@@ -0,0 +1,14 @@
+import { createHook } from "@checkstack/backend-api";
+import {
+  SECRETS_CHANGED_HOOK_ID,
+  type SecretsChangedPayload,
+} from "@checkstack/secrets-common";
+
+/**
+ * Backend hook fired when a secret is created, rotated, or deleted.
+ * Consumers (e.g. gitops) subscribe to re-reconcile entities that
+ * reference the changed secret.
+ */
+export const secretsChangedHook = createHook<SecretsChangedPayload>(
+  SECRETS_CHANGED_HOOK_ID,
+);